Crossley, Mark

Lindell, Joakim

Abstract [en]

Passwords are used more now than ever before. Their use is based on the ideathat the password is only known to the user and that its secrecy prevents othersfrom accessing potentially valuable or sensitive information. But how secret isa password in today's high tech world? Passwords are generally converted into hashsums and saved in databases. Cracking a password requires that the process is reversed so that the actual password can be derived from the hash sum. This cracking process can beachieved by two methods. An attacker can test all the possible combinations,(brute force cracking) or the attacker can compare the password with a list ofcommonly used passwords (cracking with wordlists). This paper investigates a passwords vulnerability to both brute force crackingand cracking via wordlists. It uses a modern computer's processing speedsto establish the amount of time to crack a certain password via brute forcecracking. It also deploys state of the art techniques to examine a password'scontent. It analyses three databases from dierent online communities to examineany possible correlation between a user's hobby interest and their choiceof password. This paper finds that the majority of passwords won't remain secret for very long. Short passwords which consist of a small alphabet are particularly vulnerable to brute force attacks. However due to the increasing speed of modern computers even passwords which are twelve characters long are still potentially vulnerable. This paper finds that users from a variety of online communities choose common passwords which are likely to be on a wordlist and thus susceptible to cracking via word list attacks.

This paper provides suggestions on how a user can choose a stronger password.